Skip to content
Phones' accelerometers allow you to be tracked underground
Naked Security Naked Security

Phones’ accelerometers allow you to be tracked on the metro

No GPS or cell tower triangulation necessary. All it takes is learning the world's unique metro routes, then listening as phones jiggle along.

We know that we can be tracked using GPS data from mobile phones, which can triangulate location from nearby cell towers.

In fact, US courts have been grappling with whether or not the Fourth Amendment protects geolocation data gleaned from our own phones, among other sources.

But it turns out that even without GPS or cell service, we can be tracked through our phones on our daily commutes – including what metro system we’re riding, what stations we get on and off at, and where we stop to meet up with a certain somebody.

The data comes from our phones’ accelerometers, as described by Chinese researchers from Nanjing University in a paper that hasn’t yet been peer-reviewed.

The reason that metros are so prone to this type of attack is that they run on fixed rails, for fixed distances, unlike the more complex combinations of multilane highways and roads across which cars or buses zigzag.

Given the fact that each metro system has a finite set of twists and turns and distances that culminate in a unique “fingerprint,” accelerometer data could be used to trace us, the researchers say.

From the paper:

The cause is that metro trains run on tracks, making their motion patterns distinguishable from cars or buses running on ordinary roads. Moreover, due to the fact that there are no two pairs of neighboring stations whose connecting tracks are exactly the same in the real world, the motion patterns of the train within different intervals are distinguishable as well.

As far as surveillance goes, accelerometers beat GPS or cell service, which both drop out in tunnels.

The research paper, titled We Can Track You If You Take the Metro, comes from three researchers at Nanjing University’s Computer Science and Technology department.

They point out that this isn’t the first time we’ve heard that accelerometers can be used for purposes other than their intended use.

In 2013, Swarthmore College researchers claimed that they could figure out a user’s passcode with as few as five guesses, based on accelerometer-revealed movement that was then matched with a database of known patterns.

Other so-called “sensory malware” has included a malicious Android app that uses the phone’s embedded camera and other spatial sensors to create 3D visual maps of the owner’s home and other spaces.

In order to track people, the researchers say that “the attacker” would first have to learn a metro line’s fingerprint, then install malware on a target’s phone, which would in turn intercept its accelerometer readings.

They conducted experiments in China by tracking volunteers carrying mobile phones through subways in Nanjing, achieving tracking accuracy that reached between 70% and 92% depending on the number of stations visited.

The researchers describe an attack of this sort as being both more effective and more powerful than one that relies on GPS or cellular service to trace metro passengers.

It’s also far easier to pull off, given that platforms such as Android let applications access accelerometers without requiring special privileges or explicit user consent.

In other words, users don’t have to give their say-so when an app accesses accelerometer data, and users would be oblivious to an attack.

Compare that with GPS and cellular: on most mobile platforms, apps have to request user permission before accessing location data coming from the GPS sensors or cellular localization.

In either case, an icon flags the use of those components, thereby tipping the user off.

By tracking a phone user over the course of days, an attacker could not only glean his or her physical location and travel habits, but could also piece together who he or she might be meeting up with, the researchers say.

One possible defense against such an attack is to mix noise into what would otherwise be clear accelerometer data, then to force apps to request pure, undiluted data from motion sensors – a stipulation that would force potentially malicious apps to lay their cards on the table and disclose their data consumption.

The researchers say that power consumption is negligible, in spite of continuous accelerometer reading.

It could get smaller still, were the researchers to tweak the data extraction by moving it from the server to the phone, or if the app went into sleep mode to accommodate periods when a target isn’t riding the metro.

Nevertheless, increased power consumption will still be a telltale sign, the researchers say, in spite of the attack’s limited power use:

No matter how the malware tries to conceal itself, the acquisition of sensor data will lead to an increasing power consumption of the smartphone. We may scrutinize the status of power consumption of programs to examine those programs that keep consuming too much electricity. In this way, it is highly possible for us to find malware that operates [in the] background.

Image of subway train courtesy of Tequiero / .</p


When do we expect to have software that detects and id’s these packages on our phones via a power usage curve or other data collected on the phone itself. Seems like that’s what the people are saying is the best way of finding malware on devices. Sounds good to me, also sounds like a perfect way to embed malware on devices stating your ‘looking for malware’…



Why do some phones have accelerometers? How do I know if mine (BB) does? How would I turn it off, if possible?
At least people could turn off their phones during a metro trip. Or put them in a Faraday Cage pouch.
As well as metro lines, would this work on above ground train lines? Probably.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!